Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-1466

Wildfly SSL Setup Fails on HSM-Backed Keystore

    XMLWordPrintable

Details

    Description

      Using a keystore type that does not allow or returns empty from getEncoded() on private keys causes a KeyStoreException at startup. This is common in HSM-backed key operations.

      Storing SSL keys and certs in an HSM is a common method of securing keys and offloading SSL overhead.

      FileKeyStore.java copies a KeyStore.Entry value into a JKS KeyStore but JKS and PKCS12 KeyStore implementations maintain a copy of the encoded PKCS#8 data for private keys. When applying a KeyStore.Entry from a source that does not return the data for security reasons, the import fails.

      While it's still not guaranteed to work with all KeyStore providers, switching KeyStore.getInstance("JKS") to KeyStore.getInstance(provider) fixes the issue for SafeNet "Luna" and SunPKCS11 "PKCS11" KeyStore implementations while not breaking the "PKCS12" and "JKS" cases.

      See https://github.com/wildfly/wildfly-core/blob/master/domain-management/src/main/java/org/jboss/as/domain/management/security/FileKeystore.java#L126

      Log output:

      2016-04-04 18:53:51,100 i-4b6f79d1 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service jboss.server.controller.management.security_realm.test.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.test.key-manager: JBAS015229: Unable to start service
	at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:148)
	at org.jboss.as.domain.management.security.FileKeyManagerService.start(FileKeyManagerService.java:119)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_60]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_60]
	at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_60]
Caused by: java.security.KeyStoreException: Cannot get key bytes, not PKCS#8 encoded
	at sun.security.provider.KeyProtector.protect(KeyProtector.java:174) [rt.jar:1.8.0_60]
	at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:267) [rt.jar:1.8.0_60]
	at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56) [rt.jar:1.8.0_60]
	at java.security.KeyStoreSpi.engineSetEntry(KeyStoreSpi.java:537) [rt.jar:1.8.0_60]
	at sun.security.provider.KeyStoreDelegator.engineSetEntry(KeyStoreDelegator.java:179) [rt.jar:1.8.0_60]
	at sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetEntry(JavaKeyStore.java:70) [rt.jar:1.8.0_60]
	at java.security.KeyStore.setEntry(KeyStore.java:1557) [rt.jar:1.8.0_60]
	at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:136)
	... 6 more

      Attachments

        Activity

          People

            darran.lofthouse@redhat.com Darran Lofthouse
            redhat@jitjat.com Valued Customer (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: